Using the Right Threat Intelligence Tools for the Job
February 7, 2018 • The Recorded Future Team
- According to research by ESG, cybersecurity professionals today find their jobs more difficult than two years ago. They identify three main reasons: the growing volume of cybersecurity alerts, the dangerous threat landscape, and a shortage of skilled cybersecurity professionals.
- Simply implementing more threat intelligence solutions is not enough — in fact, increasingly relying on automated threat intelligence solutions often adds to the volume of alerts that overwhelms cybersecurity analysts.
- The answer is to use a threat intelligence solution that includes a central management and analysis portal. Such a portal should be able to collect data from multiple sources and organize it for various kinds of users and use cases.
Today’s security operations centers increasingly rely on threat intelligence to help protect their organizations. The aim is to use these tools to gather threat intelligence that will improve the efficiency and effectiveness of their risk management, automate their processes, and allow them to go on the hunt for potential threats and stop them before they happen. Many organizations have cybersecurity programs that have been in place for years and are populated by experts using the best intelligence available to them.
Yet, despite all this progress, many organizations still struggle to operationalize their threat intelligence efficiently enough to make their jobs easier and their businesses more secure. According to new research by ESG, nearly three quarters of all surveyed cybersecurity professionals say their work is more difficult now than it was two years ago. Though able to process higher volumes of data and provide more comprehensive coverage, many new technologies in the threat intelligence industry simply do not provide the needed context, in-depth analysis, or integration to keep up with the growing number of threats.
To be truly effective, modern threat intelligence solutions should have the following five features:
- Collect high volumes of threat intelligence data from relevant sources and process it efficiently.
- Centralize the management of that data.
- Include analytics advanced enough to sort the good from the bad and make sense of that huge volume (a task that often requires both the speed of automated processes and the intuition and expertise of a human).
- Offer the ability to customize intelligence to be used for the right tasks.
- Integrate well with other security technologies.
Despite their best efforts, security operations centers using solutions that do not meet these criteria will find that their organizations remain vulnerable to persistent and clever adversaries that will continue to stay one step ahead while they are washed away in a deluge of data.
Here, we’ll look at three of the biggest challenges facing cybersecurity teams today, and then focus on how organizing data with a threat intelligence solution that has a central management and analysis portal can help respond to one of those challenges — namely, the growing cacophony of security alerts faced by many security operations centers.
In their responses to ESG’s survey, cybersecurity professionals identified three main problems that have made their work increasingly difficult over the last two years.
The growing volume of security alerts. Threat intelligence solutions are meant to make the job of a cybersecurity professional easier, but the growing number of tools that are added, often piecemeal, to an organization’s security suite can lead to an overwhelming and incomprehensible number of security alerts, as each tool sounds an alarm when it detects suspicious behavior. At the scale of today’s volumes of data, the number of daily alerts that any given security analyst is confronted with is simply too high to respond to effectively, leading many to ignore some alerts or prioritize the wrong ones.
The dangerous threat landscape. Threat actors are increasingly determined, motivated, and organized. As put in a 2017 article in The Economist, data has now replaced oil as the world’s most valuable commodity — and as the world economy becomes increasingly reliant on the internet and big data, threat actors have only become more numerous and persistent. They rely on not only sophisticated exploits and malware, but also various avenues of social engineering attacks, such as by targeting vulnerable or high-priority individuals through social media.
The cybersecurity skills shortage. More than half of all organizations responding to ESG’s survey said that they have a “problematic shortage” of cybersecurity skills. It takes years to develop the right expertise and intuition to effectively analyze threat intelligence, and good analysts are few and far between. Increasingly automated threat intelligence solutions can only go so far — computers are still vastly inferior to human experts when providing context to data and making suggestions for future action. That leaves many organizations short-staffed when it comes to knowledge domains like security analysis, investigation, and threat hunting.
The Need for a Central Management and Analysis Portal
The chaotic environment created by the three problems listed above demands a comprehensive solution. To alleviate the first problem — namely, the growing volume of security alerts coming from multiple sources that are often assembled ad hoc — a threat intelligence solution should have a central management and analysis portal.
A threat intelligence platform that includes a feature like this will help to make sense of the large volume of data that comes from disparate sources. Today, many organizations gather threat intelligence from both open sources and purchased feeds, view product portals, buy custom reports and services to stay ahead of impending threats, and share information with industry Information Sharing and Analysis Centers (ISACs). Data from so many sources can be better suited to one use case or another, and it can appear in different formats. Some might require automation to process and make sense of it, while others, like the intelligence that comes from reports, might take an expert eye to apply effectively. Such a plethora is overwhelming for even the most seasoned experts.
According to the ESG report, what this means is that organizations using solutions that have a central management and analysis portal will find it far easier to correlate, contextualize, enrich, and normalize these large volumes of data. A good platform will be able to connect information across these different sources of intelligence and provide a common view for both multiple use cases and for different kinds of users, like security analysts, threat hunters, incident responders, and risk managers.
One of the greatest values of such a system is that it should cut down on the number of alerts that a security analyst faces every day. There is simply not enough time in the day to respond to every alert, which means that an analyst must make choices about which alerts to respond to and which to ignore. Among those alerts the analyst chooses to respond to, they must be further prioritized by severity. Analysts in such a situation also run the risk of becoming conditioned to these alerts — if hundreds of supposedly critical alerts are sounded each day, some large percentage of them ignored, and the organization continues to run without issue, then maybe most of those alerts are never anything to worry about. Given enough time, an expert threat analyst may be able to make the right choice in prioritizing between a handful of alerts, but such an effort is time-consuming and mentally taxing. A central portal should cut down on false positives, prioritize the right alerts, and provide the information in a widely applicable format.
To get more information on the problems facing contemporary security operations centers and how a comprehensive threat intelligence solution can resolve those problems, download your complimentary copy of ESG’s “Operationalizing Threat Intelligence With a Complete Solution.”